Commit 264e2d6b authored by Thomas Goirand's avatar Thomas Goirand

README.md: document the firewall customization in site.pp.

parent 8801f42d
......@@ -800,6 +800,33 @@ apply. If this happens, one can try to relaunch the puppet thing:
Do this on the controller-1 node first, wait until it finishes, then restart
it on the other controller nodes.
## Adding custom firewall rulles
OCI is using puppet-module-puppetlabs-firewall, and flushes iptables on each
run. Therefore, if you need custom firewall rules, you also have to do it
via puppet. If you want to do apply the same firewall rules on all nodes,
simply edit the site.pp like this in /etc/puppet/code/environments/production/manifests/site.pp:
```
hiera_include('classes')
firewall { '000 allow monitoring network':
proto => tcp,
action => accept,
source => "10.3.50.0/24",
}
```
Note that the firewall rule is prefixed with a number. This is mandatory.
Also, make sure that this number doesn't enter in conflict with an already
existing rule.
What's done by OCI is: protect the controller's VIP (deny access to it from
the outside), and protect the swiftstore ports for account, container and
object servers from any query not from within the cluster. So the above will
allow a monitoring server from 10.3.50.0/24 to monitor your swiftstore
ndoes.
## Setting-up redis cluster
Currently, this is not yet automated:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment